Even though I do the network administration at work I'm totally unfamiliar with many things that I should be. So I want to do some learning and exploration at home and take advantage of my Technet susbscription (best money ever paid to MS).

So I've got a couple spare machines and I've also got Virtualbox and VMware Workstation and even a machine running VMware ESXi 4.1. I'd prefer to set all of this up using just virtualbox. I really don't know where to even start, other that at the beginning, by reading over here http://technet.microsoft.com/en-us/libr ... 66(v=ws.10).aspx

I don't even know what questions to ask; that's how noob I am at this. I started trying to think of questions to ask here but the only question I can think of is what questions should I be asking?

If you have any advice for this noob, I'd appreciate hearing any of it. Any links to recommended resources / guides / tutorials / etc. and such too. Hopefully I'll be able to report back with some kind of success story, eventually.

EDIT:OK, here's the success story so you don't have to read the whole thread:

flip-mode wrote:Well, I've succeeded in setting up an Active Directory domain. All done in a virtual machine environment, so my home network is totally unaffected.

So, the fundamentals were really simple. Here's what I did:

Step 1: Create an IPcop virtual machine to be your internet gateway and also the gateway to your home network. In the virtual machine settings create two network interfaces - configure one interface as bridged and one interface on an internal virtual network. Then in IPcop setup, configure the "red" interface as DHCP and the "green" interface as static 192.168.1.1. The "red" interface gets it's IP address from my Linksys router, so it's got an address on the home network. Tell IPcop not to do DHCP or anything else. It's the most basic IPcop setup possible, I imagine.

Step 2: Create a Windows Server 2008 virtual machine for the Active Directory / DNS server. The virtual machine network settings should be configured to plug this machine's network interface into the same virtual network as IPcop's "green" interface. Install Win2008 and rename your computer to something appropriate for it's mission. Mine is named a-ad1-dns ("a" is my signifier for all machines on this particular virtual network and domain, so it could just have been ad1-dns or just ad1). IP address is static 192.168.1.3. Gateway is 192.168.1.1. Primary and secondary DNS are both 192.168.1.3 (i.e. the machine looks to its own IP address for DNS - I don't know if this is the correct configuration but it seems to work, initially, at least). Then add the Active Directory role. During the course of that you will be asked if you want to configure DNS too and say "yes" to that. When you finish adding the role you'll actually have to open a command line and type "dcpromo.exe" to install Active Directory. I guess I was slightly surprised that the act of adding the role didn't also install Active Directory. Anyway, during Active Directory installation pick the obvious options, like "new forest" and such. I named my domain "first.test". Keep clicking through till you're finished. Once you're finished, well, your domain is created.

Step 3: Create a Windows Server 2008 virtual machine for DHCP. The virtual machine's network interface should also be plugged into the same virtual network that IPcop's green interface and the Active Directory server's interface are plugged into. Install Win 2008, set IP address to static 192.168.1.2, gateway 192.168.1.1, DNS 192.168.1.3. Rename the computer to whatever; mine is named a-dhcp. Join the computer to the domain; in my case that is the "first" or "first.test" domain. Add the domain administrator user to the computer. Log out then log into that account. Add the DHCP role. Go through that config process and pick the obvious things or read up where needed.

Step 4: Create client virtual machines and add them to the same virtual network, add them to the domain.

That's where I'm at so far. I'm sure there are about 1000 setting that need to be configured or something. But it's a working domain functioning at a basic level. Nifty.

FYI I have 8 gigs of RAM so I had to be sparing when giving RAM to the VM's I gave 256 MB to IPcop. I gave 1 GB to each Windows 2008 and Windows 7 virtual machine.

Last edited by flip-mode on Thu Apr 05, 2012 4:07 pm, edited 1 time in total.

It probably is simple. My main questions right now revolve around DHCP. I get my DHCP from my ISP, and then I have DHCP on my home network. How does my local DNS tie in o all of that? Do I keep my router assigning DHCP or do I let windows server do that? Right now it seems the questions are more about network and DNS setup than AD setup.

Make sure you set the network interface to "bridged" mode. This will make the VM look like another (independent) machine on the network. If you leave it at the default (NAT), the VM will appear to be on a virtual NAT network "behind" the host, which can cause problems if you're using the VM to run a server.

VirtualBox's SMP support is not very efficient, I recommend configuring the VM to use just one (virtual) core.

Make sure you allocate plenty of RAM to the VM. Beef up the host's RAM if needed.

VirtualBox really needs the hardware virtualization extensions to run well; make sure you're using a CPU that supports them, and that they are enabled in the BIOS. AFAIK all AMD CPUs from Socket AM2 forward support hardware virtualization; for Intel you will need to consult the specifications for the specific CPU since they like to use virtualization support as one of their desktop/server segmentation features.

Thanks axeman. So for configuring the first DNS server handed out - that is done in my router, right, not in each client? And then you configure ISP's DNS servers in both the router and the local DNS server? I think that's making sense to me.

JBI: interesting to know about vbox's SMP support. For now I'm just going with vbox's recommended RAM and I am using bridged.

AMD's IOMMU (later called "AMD-Vi") virtualization (which Intel's VT-d is equivalent to) is included in most of their CPUs, but it's up to the motherboard manufacturer to enable it on the motherboard. The situation is similar to ECC memory support.

flip-mode wrote:JAE: interseting and unfortunate. I'm on a X4 955 BE for now, though.

Intel's product segmentation strategy is one of the reasons AMD is still my preferred CPU vendor. I do not like being forced to pay the premium for a Xeon system just because I want full support for hardware virtualization and/or ECC RAM.

JustAnEngineer wrote:AMD's IOMMU (later called "AMD-Vi") virtualization (which Intel's VT-d is equivalent to) is included in most of their CPUs, but it's up to the motherboard manufacturer to enable it on the motherboard. The situation is similar to ECC memory support.

Last time I checked, most/all of Intel's "desktop" CPUs and chipsets did not even support ECC RAM, so the motherboard vendor has no control over this.

On the AMD side, the only vendor I'm aware of that consistently supports ECC RAM on their desktop boards is Asus. (And this is the reason I tend to buy mostly Asus motherboards...)

IOMMU support still seems to be mostly confined to "server" motherboard (both Intel and AMD). But this is less important, unless you really want to do stuff like passing a PCI device through from the host to the guest at the hardware level.

As it's been suggested, turn off the DHCP on the router and let Windows handle it. Windows DNS and DHCP go hand in hand, so it's easier to let it do its thing. It should be noted Windows DHCP doesn't do automatic failover unless you're running Windows Enterprise, I think. Regardless, Windows Standard doesn't have it, so keep that in mind when you're planning.

DNS will get installed when AD is installed, and it will get setup at the same time. The most you'll need to do is add static records for any other servers you have. You could setup your ISP's DNS servers as servers to Forward DNS requests to, but the Windows DNS shouldn't need this. Of course, at work I have a BIND box as teh forward server that does nothing by cache Internet DNS requests, so check your performance with and without the forward setup. Also, setup the AD domain's DNS to be AD integrated. If you add a second server, the DNS for the domain will automatically replicate between the two servers.

Speaking of second servers. You should setup up two AD servers. A big part of AD is knowing the different roles and how to migrate them and figure out what is doing what.

AD uses Kerberos, and Kerberos tokens are time sensitive. If you have servers that aren't Windows, like Samba, they will need to be setup to use the Global Catalog (the main DC) server as their NTP server or things will get wonky.

I'd would install this on the ESXi 4.1 box as you will need to keep this up 24/7.

AD is pretty light on resources, but Windows is a beast. I'd recommend 80GB hard drive with single proc and 4GB of RAM as the optimum setup, but you could get by with 60GB, single proc, and 2GB of RAM. You can easily expand the HD in 2008+, so it's just a matter of expanding the HD in the VM host then adding the space in Disk Management.

Last piece of advice. Don't install Exchange of SQL server on the DCs. Put those on a separate servers because they put all sorts of hooks into the OS, and they will mess things up if you want to migrate to a newer version in the future.

First, I haven't performed any configuration of the router as axeman suggested, mainly because it's not very clear at all where to configure which DNS server gets handed out. The router is running a few-years-old version of Tomato. Perhaps I should switch back to the Linksys firmware or something.

As for the active directory domain controller, I set it up with a static IP even though the router is handing out DHCPs. Neither the router nor the computer seem to mind this. I manually configured the computers network connection to look to itself for DNS1 and to look to my ISPs DNS server for DNS2. The computer seems to connect to the internet. I dunno if that's right though. So then I clicked through the Active Directory wizzard and seem to have completed installing Active Directory, and I get this message:

A delegation for this DNS server cannot be created because the authoritative parent zone cannot be found or it does not run Windows DNS server. If you are integrating with and existing DNS infrastructure, you should manually create a delegation to this DNS server in the parent zone to ensure reliable name resolution from outside the domain flip.mode.com. Otherwise, no action is required. Do you want to continue?

And I said yes and then I get:

Active Directory Domain Services is now installed on this computer for the domain "flip.mode.com".This Active Directory domain controller is assigned to the site "Default-First-Site-Name". You can manage sites with the Active Directory Sites and Services administrative tool.

I'm taking this as a step in the right direction. This is what virtual machine snapshots are for I may end up doing this 5 times until I get it right.

You are getting the apparantly conflicting errors because you used a .com address for your domain. It is looking to the top level domain servers to see who registered mode.com. And it is not you. I would HIGHLY suggest restarting your domain with either a .local or .priv address (making it flip.mode.local or flip.mode.priv). You don't have the appropriate ownership of the mode.com domain, and even though this won't affect anything it's a bad practice to get into.

The only configuration you should have to do with your router is disabling DHCP, without that it won't matter if you have DNS installed on it or not, DHCP is what gives the clients on your network the addresses for the DNS servers to look for. No DHCP means no addresses that you haven't put in your server.

If he did flip.mode.local, he'd still get the error, because mode.local doesn't exist. It's not a conflict, it's just one message saying it couldn't create a delegation, and another saying the domain was created. A delegation is just a link to the domain from another DNS namespace.

It's a normal message, and you only need to concern yourself with it when creating sub-domains within a forest (I can't think of any other good reason to pay attention to it).

I will agree that you probably should do something like flipmode.msft, (.local is quasi-real, I've read Macs have trouble with it) since it isn't a real-world domain. Since it's just a home network, it's probably not a big deal.

Interesting topic for those of us that have never used AD and are interested in it. Informative posts spider and ax.

Gleek, forums are for discussing relevant topics of interest and being social. Everyone could just google everything, but then we'd have nothing to discuss nor would this forum be used for it's intended purpose.

absurdity wrote:If he did flip.mode.local, he'd still get the error, because mode.local doesn't exist. It's not a conflict, it's just one message saying it couldn't create a delegation, and another saying the domain was created. A delegation is just a link to the domain from another DNS namespace.

Ah, thanks for the clarification

absurdity wrote:I will agree that you probably should do something like flipmode.msft, (.local is quasi-real, I've read Macs have trouble with it) since it isn't a real-world domain. Since it's just a home network, it's probably not a big deal.

Mac's use the .local domain by default. If memory serves older versions of OS X would reject any traffic on .local domains if it wasn't a mac specific protocol (again, not 100% on this, last time I did Mac support was not on a .local domain). Depending on version of OS X different things would break.

I manually configured the computers network connection to look to itself for DNS1 and to look to my ISPs DNS server for DNS2.

While that's fine for a redundancy perspective, you want to go into the DNS Manager and set your ISP DNS servers as a Forward.

The DNS delegation informational prompt is irrelevant in this case. Life will even continue if you're using a public domain name you don't actually own. From a perfectionist point of view, you should be using a TLD that isn't approved by ICANN.

This also should really be in the Windows forum.

"Welcome back my friends to the show that never ends. We're so glad you could attend. Come inside! Come inside!"

JustAnEngineer wrote:AMD's IOMMU (later called "AMD-Vi") virtualization (which Intel's VT-d is equivalent to) is included in most of their CPUs, but it's up to the motherboard manufacturer to enable it on the motherboard.

But IO virtualization (Intel's vt-d or AMD-Vi) is separate from the basic hardware extensions for virtualization (Intel's vt-x or AMD-V). AFAIK the virtualization solutions that require hardware support only demand the latter, which is available on many recent Intel processors, not just Xeons but also desktop CPUs including the unlocked "K" i5 and i7 products. The IO virtualization (vt-d) is much rarer, and for whatever reason seems to be excluded from the K processors. It might be nice to have for performance or feature reasons, but I don't think it's a hard requirement for basic virtualization in the products that require hardware virtualization support (I could be wrong on that as I haven't reviewed the requirements recently but that's my recollection from the last time I looked). You'd want it if you're trying to game inside the VM or doing high-throughput network tasks or something, but for educational "mucking around" purposes it shouldn't matter.

(There's a tangent here related to Thunderbolt/Lightpeak giving external devices DMA access to the physical memory map and the necessity for virtualized IO to secure the system against the obvious threat that poses, but it's off-topic here -- I'll just say Intel better make vt-d a standard baseline feature by the time they're buildingTB/LP into their chipsets.)

I've been mulling things over for the past 24 hours. I got to thinking that I want this experiment to be entirely virtual and on it's own virtual network and keep from messing with my home network at all. After thinking about this and googling around my plan is to install IPcop in a virtual machine and have it be the gateway between my home network and the internal virtual network.

After all that was said above I think what I need to do is to set both NICs on IPcop as DHCP and then set up my Active Directory / DNS / DHCP virtual machine. Sound about right? It seems weird to have the gateway / router set to DHCP instead of static.

Edit... hm... I'm confusing myself. I think I want to set IPcop's lan interface as static still. Then set my Active Directory server as static too, and when it servers out DHCP it will serve out the remaining available IPs. So... here's the start of the test network setupIPcop lan: 192.168.1.1AD Server: 192.168.1.2Domain name will be local.local so clients would be client-1.local.local

Oh, and IPcop is successfully functionion as a gateway from the virtual network that at least gets me to the internet. Haven't check for connections between vm lan and home lan yet.

Bensam123 wrote:Interesting topic for those of us that have never used AD and are interested in it. Informative posts spider and ax.

Gleek, forums are for discussing relevant topics of interest and being social. Everyone could just google everything, but then we'd have nothing to discuss nor would this forum be used for it's intended purpose.

I wanted to check back on this point - I did the snapshot before adding the Active Directory role, so I'm hoping I should be able to go back to that snapshot to redo the Active Directory setup. Any thoughts on that?

flip-mode wrote:I've been mulling things over for the past 24 hours. I got to thinking that I want this experiment to be entirely virtual and on it's own virtual network and keep from messing with my home network at all. After thinking about this and googling around my plan is to install IPcop in a virtual machine and have it be the gateway between my home network and the internal virtual network.

Yeah, you can use the VirtualBox "Host Only" or "Internal" network adapter type to do this. The two types differ in that VMs on a Host Only network can see the host (but not any other networks the host is connected to), while VMs on an Internal network can only see each other (they can't even see the host).

flip-mode wrote:After all that was said above I think what I need to do is to set both NICs on IPcop as DHCP and then set up my Active Directory / DNS / DHCP virtual machine. Sound about right? It seems weird to have the gateway / router set to DHCP instead of static.

Erm... where's the inward facing interface going to get its DHCP address from? It isn't going to be able to "see" your regular DHCP server, since it will effectively be on a different network. Unless you intend to use VirtualBox's built-in DHCP server to dole out IPs to the machines on the internal network...

flip-mode wrote:I wanted to check back on this point - I did the snapshot before adding the Active Directory role, so I'm hoping I should be able to go back to that snapshot to redo the Active Directory setup. Any thoughts on that?

A great idea for experimenting with virtual machines is to completely build your base image (for example Server 2008 with all updates and hardware configured) then to run a sysprep on it. This will remove all the unique information about the machine (sid, mac address, activation keys, etc) and then copy your base image into a separate folder or backup. This way when you want to deploy a new machine all you have to do is copy your base image to where you host your VMs and BAM! Power it on, run a quick wizard and you're set.

About the snapshot you should be fine. The only issue would be if you have deployed other servers in your environment. If there is no information about your old domain on your network there's no chance of anything going wonky.

flip-mode wrote:I wanted to check back on this point - I did the snapshot before adding the Active Directory role, so I'm hoping I should be able to go back to that snapshot to redo the Active Directory setup. Any thoughts on that?

A great idea for experimenting with virtual machines is to completely build your base image (for example Server 2008 with all updates and hardware configured) then to run a sysprep on it. This will remove all the unique information about the machine (sid, mac address, activation keys, etc) and then copy your base image into a separate folder or backup. This way when you want to deploy a new machine all you have to do is copy your base image to where you host your VMs and BAM! Power it on, run a quick wizard and you're set.

About the snapshot you should be fine. The only issue would be if you have deployed other servers in your environment. If there is no information about your old domain on your network there's no chance of anything going wonky.

Well, I've succeeded in setting up an Active Directory domain. All done in a virtual machine environment, so my home network is totally unaffected.

So, the fundamentals were really simple. Here's what I did:

Step 1: Create an IPcop virtual machine to be your internet gateway and also the gateway to your home network. In the virtual machine settings create two network interfaces - configure one interface as bridged and one interface on an internal virtual network. Then in IPcop setup, configure the "red" interface as DHCP and the "green" interface as static 192.168.1.1. The "red" interface gets it's IP address from my Linksys router, so it's got an address on the home network. Tell IPcop not to do DHCP or anything else. It's the most basic IPcop setup possible, I imagine.

Step 2: Create a Windows Server 2008 virtual machine for the Active Directory / DNS server. The virtual machine network settings should be configured to plug this machine's network interface into the same virtual network as IPcop's "green" interface. Install Win2008 and rename your computer to something appropriate for it's mission. Mine is named a-ad1-dns ("a" is my signifier for all machines on this particular virtual network and domain, so it could just have been ad1-dns or just ad1). IP address is static 192.168.1.3. Gateway is 192.168.1.1. Primary and secondary DNS are both 192.168.1.3 (i.e. the machine looks to its own IP address for DNS - I don't know if this is the correct configuration but it seems to work, initially, at least). Then add the Active Directory role. During the course of that you will be asked if you want to configure DNS too and say "yes" to that. When you finish adding the role you'll actually have to open a command line and type "dcpromo.exe" to install Active Directory. I guess I was slightly surprised that the act of adding the role didn't also install Active Directory. Anyway, during Active Directory installation pick the obvious options, like "new forest" and such. I named my domain "first.test". Keep clicking through till you're finished. Once you're finished, well, your domain is created.

Step 3: Create a Windows Server 2008 virtual machine for DHCP. The virtual machine's network interface should also be plugged into the same virtual network that IPcop's green interface and the Active Directory server's interface are plugged into. Install Win 2008, set IP address to static 192.168.1.2, gateway 192.168.1.1, DNS 192.168.1.3. Rename the computer to whatever; mine is named a-dhcp. Join the computer to the domain; in my case that is the "first" or "first.test" domain. Add the domain administrator user to the computer. Log out then log into that account. Add the DHCP role. Go through that config process and pick the obvious things or read up where needed.

Step 4: Create client virtual machines and add them to the same virtual network, add them to the domain.

That's where I'm at so far. I'm sure there are about 1000 setting that need to be configured or something. But it's a working domain functioning at a basic level. Nifty.

FYI I have 8 gigs of RAM so I had to be sparing when giving RAM to the VM's I gave 256 MB to IPcop. I gave 1 GB to each Windows 2008 and Windows 7 virtual machine.